The getcert tool issues requests to a org.fedorahosted.certmonger service on behalf of the invoking user. It can ask the service to begin enrollment, optionally generating a key pair to use, it can ask the service to begin monitoring a certificate in a specified location for expiration, and optionally to refresh it when expiration nears, it can list the set of certificates that the service is already monitoring, or it can list the set of CAs that the service is capable of using.

If no command is given as the first command-line argument, getcert will print short usage information for each of its functions.

If getcert is invoked by a user with UID 0, and there is no system bus available, getcert will attempt to launch a temporary copy of the certmonger daemon to handle its requests.

If CERTMONGER_PVT_ADDRESS is set in the environment, getcert contacts the service directly at the specified location. All commands can take either the -s or -S arguments, which instruct getcert to contact the org.fedorahosted.certmonger service on the session or system bus, if no value is set. By default, getcert consults the org.fedorahosted.certmonger service attached to the system bus.